Microsoft Index Server Exposes IDs and Passwords Reported May 15 ,1997 by Andrew Smith Systems Affected Windows NT with IIS and Index Server (e.g. any NT system using IIS with webhits.exe in the default location or locatable/executable path) The Problem MS Index Server (formerly code named Tripoli) is Microsoft's search engine for Internet Information Server. It recently shipped with Service Pack 2 for Windows NT and is installed on most Microsoft NT Internet Information web servers. Index Server is a very useful search engine for the Internet Information Server. One component contained in Index Server is called the Hit Counter. Hit counter enables users to view their searched documents with the words of their queries highlighted.. The Hit Counter (webhits.exe) allows the web server to read files that should not normally be able to be read. This is similar to a bug found recently that allows users to read Active Server Script files by placing a period at the end of the URL. In many cases an Active Server script contains a username and password to a network resource, usually a SQL server. This password and username can be used to gain access to the SQL system and possibly to the web server itself. If the system administrator has left the default sample files on the Internet Information server, a hacker would have the opportunity of narrowing down their search for a username and password. A simple query of a popular search engine shows about four hundred websites that have barely modified versions of the sample files still installed and available. This file is called queryhit.htm. Many webmasters have neglected to modify the search fields to only search certain directories and avoid the script directories. Once one of these sites is located a search performed can easily narrow down the files a hacker would need to find a username and password. Using the sample search page it is easy to specify only files that have the word password in them and are script files (.asp or .idc files, cold fusion scripts, even .pl files are good). The URL the hacker would try is http://servername/samples/search/queryhit.htm then the hacker would search with something like "#filename=*.asp" When the results are returned not only can one link to the files but also can look at the "hits" by clicking the view hits link that uses the webhits program. This program bypasses the security set by IIS on script files and allows the source to be displayed. Even if the original samples are not installed or have been removed a hole is still available to read the script source. If the server has Service Pack 2 fully installed (including Index Server) they will also have webhits.exe located in the path http://servername/scripts/samples/search/webhits.exe This URL can preface another URL on that server and display the contents of the script. Stopping the Attack To protect your server from this problem remove the webhits.exe file from the server, or at least from it's default directory. I also recommend that you customize your server search pages and scripts (.idq files) to make sure they only search what you want - such as plain .HTM or .HTML files. Index Server is a wonderful product but be sure you have configured it properly. Microsoft's Response: Andrew Smith has made Microsoft aware of the problem, but they have yet to release a formal fix as of May 19, 1997. If you want to learn more about new NT security concerns, subscribe to NTSD. Credit: Andrew Smith Original page located here. Post on The NT Shop May 19, 1997